Border Patrol Those who use technology, and those who pay its bills, want to know why their identities are at risk, their financial assets exposed, and their day-to-day ability to get on with their jobs under constant threat from both irresponsible pranksters and chillingly professional criminals (not to mention unreliable technologies). Theyre feeling not merely disappointed but genuinely betrayed by the broken promises of what no one could accurately call "secure" computing.Indeed, IT architects are keenly aware of their need to divert scarce resources. "Perimeter defenses are more important than ever," said Robert Rosen, CIO at the National Institute of Arthritis and Musculoskeletal and Skin Diseases, in Bethesda, Md., and an eWeek Corporate Partner. "Im seeing statistics across the Department of Health and Human Services. The good news is, we are defending ourselves well. The bad news is, there is a significant cost. And what were spending there, were not spending on medical research to benefit millions." Too many IT sites betray themselves by spending money on security technology, then spending administrator time to deal with complications in ways that all too often neutralize the expected (and assumed) security benefits. "People get a false sense of security after deploying technologies that they dont really understand," said iDefenses Kelly. "They think as long as the lights are on, its working. Tools are improperly installed, improperly maintained or mis-configuredafter all, the administrators job is moving data." The experience of eWeek Labs own international OpenHack challenges affirms Kellys contention that mis-configured systems are a principal source of problems that no legislation will ever prevent. Independent agencies such as The SANS Institute and the FBI also rank this problem high on their lists of security threats. A major cause of dissatisfaction and a driver in the process of continually relaxing security settings just to get through the day is the high rate of false-positive warnings issued by many tools. "Typically, when someone does a vulnerability scan, they get 200 vulnerabilities," said Symantecs Weafer. "But if you look at your top attacks, you can actually take care of them by handling just a few of those." A tiny fraction of known vulnerabilities, Weafer said, account for the vast majority of common attacks, which is why its necessary to develop a security posture based on actual rather than potential threats. Whats needed, as much as possible, are tools that continually learn whats normal and involve only administrators in deciding how to deal with the unusual. The whole proposition is "crazy, unless you have automated tools," said United Labor Banks Schwedhelm. "You must keep human intervention to a minimum." The long-sought goal of combining security with administrator productivity is the promise made by Stratum8 Networks Inc., whose Stratum8 APS appliance uses several patented algorithms to develop a site-specific model of acceptable behavior after one or two days in a nonblocking "learning" mode. "Suppose were in learning mode and we see 40,000 out of 40,000 sessions coming back with 18 bytes appended to the cookie," said Stratum8 CEO Bob Walters, in Santa Clara, Calif. "We wouldnt call that Gods own denial-of-service attack. Wed nominate a relaxation rule, but we wouldnt activate that rule until a human says, Yea, verily. And so we have zero complaints from the field about false positives." By operating at the application level, Walters said, the Stratum8 approach can develop a much more efficient model than those approaches lacking high-level knowledge of whats supposed to be happening. "Even for complex Web sites, were only generating one or two dozen relaxations, unlike intrusion detection systems at the network domain with hundreds or even thousands of such expressions," he said. The Stratum8 technology has not yet been tested at eWeek Labs, but independent reports on the companys product are consistent with this claim. Other vendors are also seeking greater leverage by shifting the fulcrum of protectionseeking a better balance between resources and results at the higher level of the application server, rather than struggling in the chaos of the network edge. "The concept of firewalls emerged when we opened up e-mail or other specific services and limited the holes," said Rod Murchison, vice president of product development at Ingrian Networks Inc., in Redwood City, Calif. "Now, what were seeing is that all the threats are coming in over protocols that we have to keep open to stay in business. Web servers are where were seeing the most damaging threats." This is likewise consistent with eWeek Labs OpenHack observations, in which attackers have systematically moved up the food chain to attack the application layer when lower-level vulnerabilities were addressed. A problem that threatens the effectiveness of all perimeter-focused security systems is the growing fraction of traffic that crosses that boundary in some kind of encrypted form. "The newest threat were seeing is Nimda and Code Red being modified to work over SSL [Secure Sockets Layer]," said Ingrian Networks Murchison. "Theres an encrypted tunnel from client to server; most of the servers deployed today are terminating SSL at a card inside the server itself." To protect the server against attacks that pervert defensive systems into protective camouflage, Ingrians appliances reclaim control of incoming traffic. "Were able to break open connections as theyre transmitted to the server," Murchison said. "We can scan through the data, find a credit card number, for example, and encrypt it before it goes back to the server. Anything with a format or a structure, XML or SOAP [Simple Object Access Protocol] or whatever, we can find and encrypt with a key thats stored in hardware. Were getting very serious about field-level encryption." Were sure that computer-chip makers smile at the thought of enterprise buyers encrypting, decrypting and re-encrypting the same data, because networks are assembled piecemeal rather than from a unified design, but its probably the price of enjoying the other economies of an independent Internet rather than a proprietary value-added network. In the long run, eWeek Labs prefers systems that let enterprise managers see exactly whats flowing where, rather than monolithic systems that may be more efficient but suffer from risks of single-point failure and use technologies not subject to peer review. On the plus side, enterprises are rapidly adopting encryption-based VPN (virtual private network) solutions, with results that they find pleasantly surprising (a phrase uncommon in security discussions). "The implementation of a VPN resulted in increased bandwidth, reduced costs and higher reliability than the frame network," said FN Manufacturings Benincasa. "Users are pleased, and even though they do not necessarily understand VPN technology, they are happy with the change and accept it." Benincasas experience suggests that IT administrators may be able to accompany the nuisance of increased security with other improvements so that users perceive, overall, an improvement in utility that encourages greater cooperation with security measures.
Perhaps the worst sense of broken faith in IT systems security is among those "who think theyre done," said Symantecs Weafer. "They have anti-virus, they have a firewall, and they think theyve paid the security bill. But you cant afford to just do the same thing."